Kobo Clara HD Notes for Nickel

My ereader of choice is the Kobo Clara HD and I particularly like it because my eyes hurt less when reading for long periods of time compared to when I read on my phone or when I still had my iPad. It also had much longer battery life and only need to charge it about once every two weeks when I read for about 4 hours on average daily.

However, the two notable things I don’t like about it is it’s included telemetry, like using Google Analytics by default and keeping a unique salt

Spyware/Anti-Features:

• Google Analytics (a lot of actions, if not everything, is sent to Google)
• Auto-update by default
  • I prefer being able to review what the new update provides and choose not to apply it
  • I don’t like the new redesign in firmware v4.23.15505

I’m also assuming your Kobo reader and it’s SD card’s device file would be would located at /dev/sdf and be mounted at /mnt/kobo.

If you’re going to not be using Nickel and instead be using something like Plato, there’s a newer version of this article available here, but the notes are for KSM loading Plato directly and not though k/fmon because I don’t want to load Nickel if I’m already using a different reader.

Upgrade/Backup Included SD Card

While the included 8GB microSD card is decent for storing your ebook library that may not have a lot of images, that would likely not be enough if you were aiming to read some comics on your ereader as they can be pretty big (quite a few of mine are over a gigabyte, with some over. Luckily, you can replace the microSD card with another one.

Before upgrading, you should backup the SD card to into an image file so the filesystem would be preserved when putting the contents of the image on the new SD card. I’m using the command dd but there might be another program doing the same thing. Even if you’re not going to upgrade, I still suggest to backup the SD card in case something goes wrong.

dd if=/dev/sdf of=kobo_sd.img conv=sync

After this is done, you can plug in your new SD card and reimage kobo_sd.img onto it. With dd, you can do something like:

dd if=kobo_sd.img of=/dev/sdf conv=sync

Checking it’s partition table via lsblk or fdisk -l should show three partitions. If you replaced the SD card with something bigger, than you should resize the third partition.

Bypassing Registration On Setup

When setting up your Kobo, you will be asked to sign into a Kobo account. There are other options like logging in via Google, Walmart, and other stores, but I don’t like having to login to a device that would likely not be connected to the public internet. Fortunately, you can bypass this by choosing that you cannot connect to a Wi-Fi network and mount your Kobo to your computer. In, .kobo/KoboReader.sqlite, you can run:

echo "INSERT INTO user(UserID,UserKey) VALUES('1','');" \
     | sqlite3 KoboReader.sqlite

This way you don’t have to install their application just to be able to use your device.

Note: Do not try doing this when you still have your SD card mounted before you setup your device. The device’s screen would likely not update, at least on an early firmware version like v4.7.10733.

Blocking Google Analytics and other Telemetry

Just adding 0.0.0.0 analytics.google.com to /etc/hosts may be enough to block most of the telemetry from being sent. However, you can try intercepting what connections your Kobo is making via mitmproxy set to transparent mode or using a hosts file that blocks all connections to Google (but not necessarily to Kobo’s servers) like Baobab’s host file. EDIT 2022-10-21: Baobab has deleted his account from Codeberg for quite a while, so these two links are dead. Instead, I now recommend Steven Black’s instead.

To put the hosts file without root (which will be detailed in another section), you can make a directory called etc, put the hosts file in there, and tar it into a file called KoboRoot.tgz.

mkdir etc
wget -O etc/hosts https://codeberg.org/baobab/hosts/raw/branch/master/hosts
tar czvf KoboRoot.tgz etc
cp KoboRoot.tgz /mnt/kobo/.kobo/

When you move a tar file with that name into your Kobo’s .kobo folder, it’s contents gets untarred into it’s root at / when the device is turned on again, which is usually done for their updates but can be used for custom files like this and gaining root access.

Gaining Root Access via Telnet

To gain root access, we first need to get the /etc/inittab and /etc/inetd.conf which you can get from mounting the SD card’s first partition into your computer (the second partition seems to be like a backup). You should copy those two files into a folder called etc somewhere (probably not on the SD card).

In the etc/inittab file, you should add these two lines:

::sysinit:/etc/custominit.sh
::respawn:/usr/sbin/inetd -f /etc/inetd2.conf

You would want to rename the etc/inetd.conf file you copied into etc/inetd2.conf (or whatever the custom inetd.conf’s filename is) and when editing that, you should add:

23 stream tcp nowait root /bin/busybox telnetd -i

However, if there is already a commented line for root telnet in the inetd2.conf, you should probably still add the above line and ignore the commented line as that may or may not work (didn’t for me).

To actually start inetd, you should add these lines somewhere in /etc/custominit.sh:

mkdir -p /dev/pts
mount -t devpts devpts /dev/pts
/usr/sbin/inetd /etc/inetd2.conf

After that, you just have to tar the etc/ folder again and copy it to your Kobo’s onboard/third partition’s .kobo folder.

tar czvf KoboRoot.tgz etc
cp KoboRoot.tgz /mnt/kobo/.kobo/

Now you could put your SD card back into your Kobo provided that they are already unmounted and turn your Kobo back on.

After connecting to the WiFi, simplying telnetting (?) into your Kobo and logging in as root should give you a root shell. :D

telnet $KOBO_IP

By default, root has no password so you should change it with passwd.

Getting SSH and SFTP access via Dropbear

I’m using Dropbear instead of OpenSSH because it’s better suited for embedded hardware like the Kobo Clara HD. Obviously we can’t copy a binary compiled for amd64 or whatever architecture your compiling computer is running so we would have to cross-compile for our ereader.

Fortunately, we are not required to cross-compile gcc/clang and friends as we can simply download the linaro arm toolchain which has the binaries for gcc and others included. You could get the toolchain here and you should get the release that matches your host’s architecture. After untarring the file, you should also set your PATH variable to the toolchain’s bin/ folder so you don’t have to manually set the CC and CXX variables when building Dropbear.

wget https://releases.linaro.org/components/toolchain/binaries/latest-7/arm-linux-gnueabihf/gcc-linaro-7.5.0-2019.12-x86_64_arm-linux-gnueabihf.tar.xz
tar xvf gcc-linaro-7.5.0-2019.12-x86_64_arm-linux-gnueabihf.tar.xz
export PATH=$(pwd)/gcc-linaro-7.5.0-2019.12-x86_64_arm-linux-gnueabihf/bin:$PATH

Now you could get the source for Dropbear and cross-compile it. The source can be found on their homepage or GitHub repo.

wget https://matt.ucc.asn.au/dropbear/releases/dropbear-2020.81.tar.bz2
tar xvf dropbear-2020.81.tar.bz2
cd dropbear-2020.81
./configure --enable-static --host=arm-linux-gnueabihf
# MULTI=1 combines the binaries like busybox does and is also smaller in size
make MULTI=1 PROGRAMS="dropbear dropbearkey"

Now you only need to copy the dropbearmulti binary over to your Kobo. What I’ve done is running python3 -m http.server and downloading the file onto my Kobo but you could also just copy it onto the microSD card.

wget your.computer.ip:8000/dropbearmulti
chmod +x dropbearmulti
mv dropbearmulti /usr/bin
cd /usr/bin
# below are optional but dropbear(key) would be an argument for dropbearmulti
ln -s dropbearmulti dropbear
ln -s dropbearmulti dropbearkey

Now you only need to generate the host keys. My client key is ed25519 so I’m not going to generate the others.

mkdir /etc/dropbear
dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key
dropbear -F -r /etc/dropbear/dropbear_ed25519_key

Now you could ssh into your Kobo and login as root. Remember to change root’s password beforehand though if you haven’t already! I suggest copying your public key to your Kobo via ssh-copy-id so you don’t have to enter root’s password all the time and so password-based logins can be disabled in dropbear.

To start it on boot, you could add the following line to /etc/inetd2.conf:

22 stream tcp nowait root /usr/bin/dropbearmulti dropbear -i -r /etc/dropbear/dropbear_ed25519_key

For some reason, the symlink wasn’t resolving for me inetd so I had to call the multi-binary directly. You could also add the command/args into /etc/custominit.sh.

FTP Access

If you don’t or can’t use sftp or scp for some reason, there’s always ftp :D There’s a ftp daemon included in busybox so all we have to do is enable it in /etc/inetd2.conf:

21 stream tcp nowait root /bin/busybox ftpd -w -S /

This would share the entire filesystem so you may or may not want to restrict the shared directory to maybe just your ebook directory (/mnt/onboard) and move the files out via telnet or ssh. EDIT 2022-10-21: A chroot would also work.

References

• Rémy’s notes on hacking a Kobo Aura H2O
• Ying’s notes on bypassing registration and setting up telnet, ssh, etc.
• MobileRead forum thread on disabling Google Analytics on the Kobo Touch
• MobileRead wiki on hacking the Kobo Touch